Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAP9KPhBTE-juckdOFzTAtm6311D5yOYfudq0r5=49bNECDa62w@mail.gmail.com>
Date: Thu, 11 May 2023 13:01:57 +1000
From: David Leadbeater <dgl@....cx>
To: oss-security@...ts.openwall.com
Cc: Turritopsis Dohrnii Teo En Ming <tdtemccnp@...il.com>, ceo@...-en-ming-corp.com, 
	Piotr Krysiuk <piotras@...il.com>
Subject: Re: New Linux kernel NetFilter flaw gives attackers
 root privileges

On Thu, 11 May 2023 at 08:08, Tobias Heider <tobias.heider@...onical.com> wrote:
[...]
> This would allow having opt-in unprivileged userns support only for confined and
> explicitly permitted applications and could hopefully drastically reduce the
> impact of similar bugs in the future.

While I think more explicit configurability is good and needed here,
it's possible to selectively block user namespaces by blocking
unshare/clone/setns via seccomp policies. For example Docker's default
policy[1] blocks unshare() and certain arguments to clone().

This is also configurable in systemd through the "RestrictNamespaces"
property on a service. The downside is this is per service, for
example setting "RestrictNamespaces=true" on sshd.service, but then a
user could run an exploit via say cron, so you'd have to audit all
your services for this to be a complete mitigation.

It's also worth pointing out user namespaces can be a powerful
security feature, again with systemd (using systemd-run for
demonstration purposes, I'd expect this to be an actual unit
configuration in production use):

sudo systemd-run -t -p PrivateUsers=true -p RestrictNamespaces=true -p
DynamicUser=true /bin/bash

Will give you a shell inside a user namespace providing some isolation
(see the docs for PrivateUsers[2]), but it restricts "unshare -Ur"
because of the RestrictNamespaces:

unshare: unshare failed: Operation not permitted

As this and other bugs have shown CAP_NET_ADMIN inside a user
namespace is a large attack surface, but an unprivileged user inside a
user namespace, without the ability to create further namespaces can
actually be a worthwhile hardening.

David

[1]: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json#L626-L632
[2]: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateUsers=

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.